Skip to content

Commit

Permalink
Update ###mmistakes#2023-01-21-IAM-attacking-AWS.md
Browse files Browse the repository at this point in the history
  • Loading branch information
kymb0 authored Jan 22, 2023
1 parent 99d681b commit 79e4189
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion _posts/####2023-01-21-IAM-attacking-AWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ tags:

After identifying a knowledge gap in pentesting AWS (and cloud in general), I decided to spin up and attack [AWSGoat](https://github.com/ine-labs/AWSGoat) which is an intentionally vulnerable AWS lab environment with multiple paths to privilege escalation.

I learnt a ton about IAM and how to attack it and, more importantly, had an absolute blast. so much in fact, that I have decided to make this a 3-part series to include [AzureGoat](https://github.com/ine-labs/AzureGoat) and [GCPGoat](https://github.com/ine-labs/GCPGoat)
I learnt a ton about IAM and how to attack it and, more importantly, had an absolute blast. So much in fact, that I have decided to make this a 3-part series to include [AzureGoat](https://github.com/ine-labs/AzureGoat) and [GCPGoat](https://github.com/ine-labs/GCPGoat)


## Discovering the Application
Expand Down Expand Up @@ -103,6 +103,8 @@ So reviewing the above output we can see that this policy has access to attach p

## Abusing Lambda to escalate privileges

### Think of Lambda as "Function as a Service", it is based on a "micro-VM" architecture called [Firecracker](https://github.com/firecracker-microvm/firecracker)

I decided to go down the route of abusing these actions via Lambda, as I thought [Cloudtrail](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/index.html) may be less likely to be configured to feed Lambda logs into [GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html) in a "real" environment (I could be way off here), nevertheless the following is a valuable exercise in understanding IAM and Lambda.
Let's take another look at the `blog_app_lambda_data` role now that we have an account with sufficient `iam` actions to effectively enumerate.

Expand Down

0 comments on commit 79e4189

Please sign in to comment.